Re: [squid-users] Transparency

Mon, 17 Nov 2003 07:13:44 -0800 

On Monday 17 November 2003 1:53 pm, [EMAIL PROTECTED] wrote:

> I'm running Squid 2.5 STABLE4 in Transparency.
> The proxy server is my gateway.
>
> My NAT table looks as follows:
>
> [EMAIL PROTECTED] logs]# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> REDIRECT   tcp  --  anywhere             anywhere           tcp dpt:http
> redir ports 8000
> REDIRECT   tcp  --  anywhere             anywhere           tcp dpt:ftp
> redir ports 21
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination

If you're going to post netfilter rules, it's better to post either the 
original rules which went into the table, or else the output of "iptables -t 
nat -L -n -v".   The -n makes everything numeric so we can see what addresses 
are involved, and the -v shows more detail including the interfaces which the 
rules apply to.

> Web browsing and ftping both work, at the moment.
> I cannot get other internet connections to pass through the box.  i.e.:
> irc connections, telnet connections, etc.
>
> I imagine I need to be speaking with a linux person about this, but had a
> couple of questions about squid and transparency mode.

You could try the netfilter mailing list for a bunch of people who really 
know about this sort of thing.

> First.  I understand that squid proxies http traffic, only.  Is this
> correct?

Yes.   Squid will handle ftp requests over http, but only if the browser is 
configured to use the proxy.   In transparent mode http is all you get.

> So, all I should need are some redirects and forwards on the nat table and
> the other internet stuff should work.
> ie:  I shouldn't need to go into my client programs (putty, mIRC, etc) and
> tell them it's a proxy connection.

For anything except http it isn't a proxy connection - those protocols go 
directly through your firewall to the Internet, nothing to do with a Squid 
proxy being around the place.

Also, the whole point about transparent mode is that even for http, the 
client doesn't know there's a proxy - if it did, it wouldn't be transparent :)

Antony.

-- 

"I'm doing a (free) operating system (just a hobby, won't be big and 
professional like gnu) for 386(486) AT clones.

It is NOT portable , and it probably never will support anything other than 
AT-harddisks, as that's all I have :-(."

 - Excerpt from posting to comp.os.minix by Linus Torvalds, 25 Aug 1991
                                                     Please reply to the list;
                                                           please don't CC me.

Reply via email to